Volatility3 core commands
Assuming you're given a memory sample and it's likely from a Windows host, but have minimal information. Here's how you identify basic Windows host information using volatility.
$ python3 vol.py -f /path/to/memory.dump windows.infoSometimes volatility can output/display a lot of information, and it's not necessarily easily readable. You can use the -r (render) flag to generate output in pretty (tabulated), json, csv, and quick. More information here https://volatility3.readthedocs.io/en/stable/volatility3.cli.text_renderer.html
I typically export results as csv if I want to import it into a timeline, or filter it in Excel, etc.
$ python3 vol.py -r csv -f /path/to/memory.dump windows.infoDisplay process information
$ python3 vol.py -f /path/to/memory.dump windows.pslistIf you want to display the same process information but include highlighted parent/child processes (as a tree)
$ python3 vol.py -f /path/to/memory.dump windows.pstreeDump executables and associated DLLs (you need the process ID/PID first)
$ python3 vol.py -f /path/to/memory.dump -o /output/directory/ windows.dumpfiles --pid 4628Last updated